Dear stevenclary-ga,
I'm afraid that beubliss-ga's comment doesn't quite reflect the
realities of the situation.
There are actually two separate considerations here. The first is how
the permissions on files and folders are affected by copying files:
"When a file is copied from one location to another location, whether
on the same or different volume, a new file is created in the
destination location. The file inherits the permissions, the Access
Control List (ACL), from its parent folder.
When a file is moved from one location to another on the same volume,
the file retains its security descriptor. Only the pointer to the
resource is modified.
When a file is moved from one location to another on a different
volume, it acts similar to the copy, except the file is deleted from
the source location. The moved file inherits the permission from the
parent folder."
- Microsoft Knowledge Base Article - 266627
http://support.microsoft.com/?kbid=266627
"A complete copy of a file's ACL is stored with the file, and the only
difference between explicitly defined and inherited ACL properties is
that the inherited ones are simply marked as such. However, when you
copy or move a file to another volume, you are in essence creating an
entirely new file with a whole new ACL! Moving it around on the SAME
volume just modifies the existing pointer to the file -- you're not
creating anything, and so the ACL is not rewritten. That's why moving
or copying a file to a different volume will cause it to inherit the
attributes of wherever it's being moved to: it's as if you've created
a whole new file in that folder, one which is beholden to whatever
inheritable attributes come from its parent."
- Windows 2000 Power Users, Volume 1, Number 26
http://www.thegline.com/win2k/issues/2001/26.html
In summary, whenever you copy a file, or when you move it to any
volume - such as another machine - other than the one it is currently
on, it gets a new set of permissions based on wherever you just moved
it to. That's part of the design of Windows NT/2000, as explained in
that article.
That said, there are ways around this, using the XCOPY command or
registry setting described below, or the SCOPY command from the
Resource Kit:
"If you use the XCOPY command to mass-move files or folders, the /O or
/X switch will preserve the way permissions are both retained and
inherited by the objects in their target destination. But what if you
want to preserve permissions continually, without having to use XCOPY?
To force ACLs always to be preserved when copying files between
volumes, fire up REGEDIT and navigate to
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Add a REG_DWORD value named ForceCopyAclwithFile and set it to 1. You
will either need to log off and back in again or reboot the system for
this to take effect. To undo this, either delete the key or set it to
0."
- Win2000 Tips & Newsletters -> Administrator
http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci876658,00.html
You should also be aware that there is a domain issue. If the new AD
domain trusts the old NT domain, then you will be able to copy the
permissions using these tools and have them work, at least until the
old NT domain is decommissioned.
If this is not the case, however, the old permissions can't be
successfully copied onto a machine in the new domain - even if the
accounts have the same names, the internal security ID that Windows
uses is different, and so the permissions won't be recognised. In this
situation, I'm afraid you'll need to rebuild the permissions from
scratch.
I hope this answers your question. If there is anything that remains
unclear, please feel free to request a clarification,
cerebrate-ga
Search strategy:
Personal knowledge as W2K admin.
Google Microsoft Search, "ACLs and copying" -
://www.google.com/microsoft?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=ACLs+and+copying |
Clarification of Answer by
cerebrate-ga
on
23 Apr 2003 02:08 PDT
Dear stevenclary-ga,
"Can you clarify if you meant that I would be able to copy until the
old NT doamin is decommissioned ... or they would work (after the
copying) untill the nt domain is decommissioned?"
What I meant was that the permissions would work (after copying) until
the nt domain was decomissioned. When they're used, the new domain
will go back to the old domain to verify them - as soon as it's
decommissioned, that won't be possible any more.
As for scopy, it's a tool provided in the Windows NT 4.0 Resource Kit
for copying files along with their attached permissions. Its
functionality was rolled into XCOPY in Windows 2000, so you should
only need it if you do the copies from the old machines, not the new
machines.
The possibility of doing a backup and then restoring onto the new
volume is also a possibility, as most backup software carries ACLs
along, but this again will only work until the old domain is
decomissioned, at which point you would need to have changed the
permissions as I described.
I apologise for not getting back to you earlier with this information,
and thank you for the high rating.
cerebrate-ga
|
